The Federal Trade Commission finally made its report to Congress today on a proposed do-not-spam registry.
The Federal Trade Commission today told Congress that, at the present time, a National Do Not Email Registry would fail to reduce the amount of spam consumers receive, might increase it, and could not be enforced effectively. In a report filed in response to a statutory mandate, the FTC also said that anti-spam efforts should focus on creating a robust e-mail authentication system that would prevent spammers from hiding their tracks and thereby evading Internet service providers' anti-spam filters and law enforcement. To help focus these efforts, the FTC today announced that it will be sponsoring a Fall 2004 Authentication Summit to encourage a thorough analysis of possible authentication systems and their swift deployment.It seems kind of silly that they had to waste all this time figuring this out. Anyone with any knowledge of the unscruplous practices of spammers could have told them that any kind of registry would just turn into a list of validated email addresses that the spammers would hit harder than ever.
...
The FTC's report analyzed three types of possible registries: a registry containing individual e-mail addresses; a registry containing the names of domains that did not wish to receive spam; and a registry of individual names that required all unsolicited commercial e-mail to be sent via an independent third party that would deliver messages only to those email addresses not on the registry.
The FTC studied these three possible registry models by reviewing registry proposals from some of the nation's largest Internet, computer, and database management firms; consulted with more than 80 individuals representing more than 50 organizations including consumer groups, e-mail marketers, anti-spam advocates, and others; demanded information from the seven ISPs that control over 50 percent of the market for consumer e-mail accounts; and retained the services of three of the nation’s preeminent computer scientists.
The Report concludes that all three possible registry models could not be enforced effectively. A registry of individual email addresses also suffers from severe security/privacy risks that would likely result in registered addresses receiving more spam because spammers would use such a registry as a directory of valid email addresses. It ultimately would become the National Do Spam List. Furthermore, a registry of domains would have no impact on spam and a third-party forwarding service model could have a devastating impact on the e-mail system.
I know that Microsoft and a number of other big companies are behind the idea of an authenticated sender system. The only problem I see is that given time the spammers will likely find some way to corrupt the system or work around it. Perhaps it's time for the real spam solution: find some of the spammers and kill them slowly and painfully as examples to the others.
I've been playing with the 14-day free trial version of Expression Engine. I wasn't able to install it on my hosting account because the trial version uses Zend Optimizer to encrypt/obfuscate their PHP source. Unfortunately, Zend Optimizer required root access for installation. The fully licensed version will not have this problem, though.
In the meantime I installed the trial on my Linux system at home and created two weblogs. I then imported all the entries from this site as well as The Bitch Girls into those weblogs and set about trying to figure out their template system. While you can create multiple weblogs in Expression Engine, you have to do a lot of template customization to make those weblogs truly separate. I think I've finally gotten it all figured out, at least in terms of how to code the templates.
There appears to be some kind of problem with the archive page, though. It just displays the year and month and then nothing. I will check the support forums to see if this is a known problem or if there is a fix.
I'm not sure if I'll be implementing Expression Engine anytime soon, but I wanted to give it a try to see if it would be useful. So far, though, it's far superior in terms of posting performance in that no rebuilds have to be done for new posts or when changing templates/layout. Also, comments seem to work faster than with MT. However, this all comes at the price of being a little harder on the server since all pages are dynamic and require DB access to display them. In a typical installation, using PHP as an Apache module, this would be mitigated somewhat by caching. However, my webhost's default configuration is to run PHP as a CGI process. This provides better security in that they use a SUEXEC wrapper to allow the CGI process to run under my user ID rather than the ID of the server. This allows for better file access control (i.e. you don't have to set files and directories with 666 or 777 permissions) at the expense of the loss of caching. I may try setting up my home system to run PHP as a CGI process to see how that affects performance. I'd hate to finish the evaluation and buy the product only to find that it performs poorly in the actual production environment.
I've been running four weblogs with a total of nine authors on my current copy of MT (I interpreted this as being legal, since I don't charge for it and I don't offer a service; all the weblogs are run from a single instance of MT on a single server). Movable Type just announced a new license model for MT 3.0. From what I can see of their new license model, my current usage would require the purchase of "Movable Type 3.0 Personal Edition Volume License II" at a cost of $149.95. They also offer a free version, but it is limited to no more than four weblogs with one author, so that isn't an option.
Before I put down $150 for weblogging software, I'm going to investigate the alternatives. Of course, the hassle of migrating to new software might make it worth the cost, but that remains to be seen. MT 3.0 had better have improved a lot of things significantly if they want to charge those kinds of prices.
More at Slashdot.
Update: I really like some of the features I see in pMachine's Expression Engine. For the same price as the "personal" MT 3.0 version I could get Expression Engine for noncommercial use and have unlimited authors and weblogs. I may give it a try one of these days. But for now, as long as MT 2.661 does the job I'm going to leave well enough alone.
OptIn Real Big has obtained an injunction against IronPort, the company that owns SpamCop. For those who don't know, SpamCop is a service that automatically decodes the headers on spam emails and sends notifications to the spammer's ISP about the spam. Since sending spam is a violation of the TOS or AUP for most ISPs, this usually gets the spammer kicked off the service.
Scott Richter, the self-professed "Spam King" and president of e-mail marketing company OptIn, sued IronPort and SpamCop on April 29 for allegedly interfering with his business and causing his Internet service providers to block his company's e-mail. He also charged SpamCop with not disclosing the identity of people who complain about its e-mail, thereby aiding potential violations of the Can-Spam Act, which requires the removal of people from future mailings if they so choose.First, there should be enough information in a SpamCop ISP report to identify the offender and the recipient. In fact, there is more information than that there, because I have one spammer who added my SpamCop address to their "opt-in" list (as I have noted before, I use a unique address for all of my online dealings, one which indicates the company that I'm doing business with, and since I own several domains I know these addresses have not been used before).
"This whole system is done in the dark--we don't know who's complaining, what the substance of the complaint is, and there's no opportunity to correct the complaint" to comply with provisions in the Can-Spam Act that require a company to remove people from a mailing list, said Steven Richter, an attorney for OptIn.
"We're asking for the right to handle complaints."
Frankly, this points out one of the weaknesses (of which there are many) of the CAN SPAM act. It requires that the receiver of spam contact the sender to be removed. Since spammers have proven themselves to be unscrupulous bastards, no one with any sense will contact the spammer to ask to be removed, since this usually just confirms that the address is active and results in more spam.
I know that in my own dealings with Opt In Real Big that their claims of having obtained permission to send me spam are lies. They were using an address that I had given to a company that I knew I had told not to send me any promotional emails. Further, they were advertising things from another company entirely.
If they think this is going to make life any easier for them, they're sadly mistaken, though. If I get any spam from these bastards while the injunction is in progress I'll just report them to their ISP myself. I have the knowledge to hunt them down on my own, it's just that SpamCop provided a handy automated interface to do what would otherwise would take me several steps to do myself.
More discussion of this topic is available on Slashdot.
I've upgraded the site to Movable Type 2.661 and installed the CloseComments plugin. From this point forward I will be automatically closing comments on all posts that are more than 30 days old. Hopefully this will cut down on some of the comment spam that is coming in on year-old posts.
Gateway will be closing all of its remaining retail stores (188 of them with approximately 2500 jobs). I'm not terribly surprised by this. Last year when I still lived in Denton I went on the hunt for a new laptop. I drove down to Lewisville and went to Best Buy, the Gateway Store, and Compusa. I previously wrote about my dislike for Best Buy. However, the experience at the Gateway Store was also disappointing, but for a different reason. The store was simply a front for their web/phone order system. You would go in and most of the equipment wasn't available in the store. When I go into a retail store I generally expect to be able to walk out with the product. It was frustrating to me when they said that the model I wanted had to be ordered and would be shipped. Since my goal was to have a laptop in hand when I returned home that day I left and went back across I-35 to Compusa. A few weeks later that Gateway store closed.
I can understand the need to custom order certain configurations of a system. In fact, I know that some stores do this. But a computer store is also expected to have stock on hand for immediate delivery. If all they're doing is acting as an order taker and then shipping it to your house, that's next to useless for most people who go out to buy something that day.
Throughout the day yesterday my hosting company (Dreamhost) was the target of a major distributed denial of service attack (DDOS) (it was actually aimed at one of their main routers), making it nearly impossible to access my website or my email server. This also affected The Bitch Girls, as they are hosted on my account.
The title of this post is taken directly from the subject line of a spam that I just received on my work email. Our company's mail servers have spam filters that block out tremendous amounts of spam each day, but lately I've seen a number of these getting through. The use of unusual words is the latest attempt by the spammers to get around Bayesian filters. It works to some extent, but by rendering their messages nonsensical it makes it quite simple for me to delete their messages unread.
Further, they are being forced to insert random words and punctuation into the body of the emails, which makes them almost unreadable. If we can at least continue to force the spammers to make themselves spout gibberish then we may eventually win this war. Spammers have to push a product at some point in their messages, but that's hard to do when they're forced to write gibberish to get past the filters. Or at least that's my hope. Given that spammers are fiendishly clever technically, but abysmally stupid socially, I may be hoping for too much.
Alternately, we may be able to take advantage of the gibberish nature of the spam to enhance the Bayesian filters with another layer of filtering that looks at grammar and structure. Granted, this might require the current generation of IM-kiddies to learn to spell and to write in complete sentences, but I think of that as a feature rather than a bug.
New blogger Gnu Hunter came across my site and saw my previous rantings on the topic of spam and thought I'd be interested in his analysis of Bill Gates' junk mail solution. Bill seems to think he can solve the spam problem in two years through the use of micropayments. Gnu analyzes just a few of the problems with this approach.
Given that spammers are unscruplous bastards who will lie, cheat, and steal to get their crap into our inboxes, I'd still like to recommend stringing a few of them up by the toes and bleeding them slowly to serve as an example to others.
As usual, government attempts to "help" have come to naught.
MX Logic looked at a random sample of over 1,000 unsolicited commercial emails during the course of a seven day period beginning New Year's Day and found only three of the messages complied with the CAN-SPAM Act.Actually, I saw that this law would not help. In fact, given the way it's written, we would all be guaranteed to get more SPAM. As an example, I've already received one SPAM that alleges that it's just a "Crazy State Law" of the week list and that it's not a commercial email, but that while they're sending me the email I should know about their wonderful offer to "Email Advertise Your Web Site to 1,850,000 0PT-IN Email Addresse= s for FREE!" (fulltext in the extended entry if you're morbidly curious). Of course, I don't give a damn about protestations of being noncommercial. I reported the bastard via Spamcop. I hope he got spanked appropriately.
"Calling this a high rate of non-compliance would be a gross understatement," said Scott Chasin, MX Logic's chief technology officer. "It is no surprise that rogue spammers would fail to comply, but the non-compliant messages we saw appeared to be from all types of companies."
Given the economic realities of SPAM, stopping it isn't going to be handled by the law, especially when most of the spammers are operating outside the US. It's something that will require technical and human intervention (like perhaps hanging a few of them from lightposts as examples for others).
Link via Slashdot.
From: "Brian Durham" <782iybjm@everyone.net>
Reply-To: "Brian Durham" <782iybjm@everyone.net>
To: <one of my many email addresses>
Subject: State Laws that you wont believe
Date: Wed, 07 Jan 04 09:36:44 GMT
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
"It is illegal to put tomatoes = in clam chowder" - In Massachusetts
The Primary Purpose of this Email is to Deliver You a "C= razy USA State Law of the Week" - The Secondary Purpose of this Email is t= o Let You Know:
Clic= k Here to Email Advertise Your Web Site to 1,850,000 0PT-IN Email Addresse= s for FREE!
If You Meet the Criteria of Being A Non-Prof= it Organization That Helps People Defend Themselves From Unfair State Laws= .
Once at Our Web Site, Mail Us With Your Non-Profit Organization Informatio= n & We Will Provide Details on How to Receive Your Emailing.
Leave From Our "Crazy USA State Law of the Week" Ema= il List
DISCLAIMER: This is Not a Commercial Email Message and i= s Exempt From Guidelines Outlined in US Code S.877
The Primary Purpose of this Email is Not a Commercial Advertisement or Pro= motion of a Commercial Product or Service.
The Secondary Purpose of this Email is a Non-Commercial Offer for Non-Prof= it Organizations That Defend People From Unfair State Laws
Literally. -100C cool.
The guy who wrote that article took two vaporphase freezers from a lab and ripped their guts out to use to cool his 3GHz P4 down to -83C and overclock it up to 4.4GHz. It wins points for psycho insane overclocking, but I think someone has too much time on his hands.
Link via Slashdot.
If you're running a wireless network at home it's always a good idea to enable WEP (Wired Equivalent Privacy). If not enabled, of if enabled with an easily guessable password, anyone who can get within range of your access point will be able to access your network. This could allow them the ability to access network shares on your PCs (if you have any enabled) or even for them to use your broadband connection.
While it's tempting to think that having someone "borrow" your broadband connection is relatively harmless, consider this.
Wireless security for home networks is in the spotlight following an unusual arrest in Canada, where a man stands accused of downloading child pornography over a hijacked Wi-Fi connection.If the "authorities" decided to trace your broadband usage, it would be difficult for you to prove that you didn't access the child porn site (although forensic analysis of your computer would not show any evidence that you accessed it, that wouldn't necessarily exonorate you, since they'd have evidence to show that the stream came through your router).
Toronto police said they stopped a car last week for a traffic infraction when they found the driver naked from the waist down with a laptop computer on the front seat, playing a pornographic video that had apparently been streamed over a residential wireless hot spot. The driver was charged with possession, distribution and creation of child pornography, as well as theft of telecommunications--a first in Canada, according to local authorities.
While it wouldn't land you in jail and get you listed as a sex offender, another possible problem would be if a wardriver used your connection to send spam. Since almost every ISP outlaws spam as part of their AUP (Acceptable Use Policy), and the spam would have your IP address on it, they'd just assume that you sent it and cancel your account. You would have a difficult time proving otherwise, unless the spammer was caught in the act (and they're a lot less likely to be sitting outside your house with their pants down :) ).
That's the main question that always comes to mind when I get spam for various dodgy items (like "enlargement" pills). Obviously, someone is buying something or we wouldn't be getting spam (although given the economics of spam, there don't have to be very many people buying to make it worthwhile for the spammer). This Wired article helps to answer this question.
A security flaw at a website operated by the purveyors of penis-enlargement pills has provided the world with a depressing answer to the question: Who in their right mind would buy something from a spammer?Holy crap! That's a lot of people (and a lot of money for the spammer). Even more surprising was the number of people you'd think would be smarter (which I suppose proves that the cream doesn't always rise to the top).
An order log left exposed at one of Amazing Internet Products' websites revealed that, over a four-week period, some 6,000 people responded to e-mail ads and placed orders for the company's Pinacle herbal supplement. Most customers ordered two bottles of the pills at a price of $50 per bottle.
Among the people who responded in July to Amazing's spam, which bore the subject line, "Make your penis HUGE," was the manager of a $6 billion mutual fund, who ordered two bottles of Pinacle to be shipped to his Park Avenue office in New York City. A restaurateur in Boulder, Colorado, requested four bottles. The president of a California firm that sells airplane parts and is active in the local Rotary Club gave out his American Express card number to pay for six bottles, or $300 worth, of Pinacle. The coach of an elementary school lacrosse club in Pennsylvania ordered four bottles of the pills.So if something is 'As Seen on TV' that makes it legit. I think these people deserve everything they get. Heh.
Other customers included the head of a credit-repair firm, a chiropractor, a veterinarian, a landscaper and several people from the military. Numerous women also were evidently among Amazing Internet's customers.
All were evidently undaunted by the fact that Amazing's order site contained no phone number, mailing address or e-mail address for contacting the company. Nor were they seemingly concerned that their order data, including their credit card info, addresses and phone numbers, were transmitted to the site without the encryption used by most legitimate online stores.
"There was a picture on the top of the page that said, 'As Seen on TV,' and I guess that made me think it was legit," said a San Diego salesman who ordered two bottles of Pinacle in early July. The man, who asked not to be named, said he has yet to receive his pills, despite the site's promise to fill the order in five days.
Link via Slashdot.
Here's one more from News.com(.com). According to this article Amazon.com is in the process of creating a searchable text index of the contents of a number of nonfiction books. This would allow the user to enter a search term and get back books that contain the term in their text, along with a short excerpt from the book to show the context in which it was found. Amazon itself is not saying anything about it, but it appears to be scheduled for activation on their site in the fall. I like the idea, since it would allow me to see if the book is truly relevant to the topic I was looking for. Of course this wouldn't necessarily be helpful for doing immediate research (i.e. I'm looking for something right now), since I'd have to wait for the book to be shipped to see all of it.
It appears that the script kiddies are planning to try to deface a bunch of websites on July 6th.
The government and private technology experts warned Wednesday that hackers plan to attack thousands of Web sites Sunday in a loosely coordinated "contest" that could disrupt Internet traffic.I guess these pathetic fools have nothing better to do than to waste everyone's time and money by monkeying with websites.
Organizers established a Web site, defacers-challenge.com, which was shut down early Wednesday evening. Before it was removed, the site listed in broken English the rules for hackers who might participate. It cautioned that "deface its crime" -- an apparent acknowledgment that vandalizing Internet pages is illegal.
You never really know how secure your webhost is until someone tries to attack it. For now, the best advice would be to make sure you have good backups of everything (including your databases) and to make sure you aren't using any default or weak passwords.
Link via Slashdot.
For the past couple of weeks I've been having problems with my cable modem. Or more specifically, it appears that Charter has been having problems, because the "cable" light on my modem keeps going off and I lose connection. When it's up, I don't have any problems connecting, so I know my home network is OK. There are no events I've been able to correlate to the outages (i.e. wind, rain, etc). My suspicion is that they're having a problem on their end (although there is a remote possibility that there is a problem with the wire from my house to their local connection point or the modem itself is going out).
Anyway, Charter's support website requires that you install their spyware in order to use their "wizard." Since I won't install that crap (I installed their software package when it first came out and it took over my browser and rebranded it; I had to reinstall Windows to get it back), I had to drop out to their web contact form. This probably puts me somewhere below fungus on their priority list, so I'm not sanguine about the probability of a fix anytime soon. I'll probably have to call them and deal with the level 1 and 2 crap before I get someone who knows what's going on.
In the meantime I probably won't be making too many updates to this site, because everytime I get set to go online at home the cable modem is out.
Fry's is a dangerous place for someone like me. You can find all the parts you need to build a computer from scratch or upgrade one you already have. I've only ever gone into a Fry's once without buying something (something must have been wrong with me that day).
But now it's reached an absurd level. I've got a friend who went there tonight and called me to tell me about the current deal on a motherboard and processor (2000+ Athlon XP with MB for $69.00). So I got him to buy it for me and I'll pay him for it tomorrow. I'm going to use it to upgrade my game system. However, that will leave me with a 900MHz Athlon and motherboard. I have a spare case and hard drive. I may build another system from the cast-off parts (although I have no idea what I'll do with it). But it seems a waste to just let the parts sit there. Maybe I can find someone who's using an old computer and needs/wants something a little faster.
I'm almost tempted to think that drugs would be cheaper than computers...
Slashdot has a review of an interesting new keyboard. The idea behind this keyboard is to completely change the way you type so as to remove the risk of repetitive stress injury. It seems interesting, although I have little interest in relearning how to type. It's also quite expensive at $695.00.
However, I found this part amusing:
Despite--or maybe because of--the OrbitTouch's similarity to the female anatomy, it's very comfortable to use. Your hands rest very naturally on the twin domes.There is also a warning that the domes should not be twisted. Good advice in most cases.
The folks at the National Center for Supercomputing Applications are experimenting with the use of the Sony Playstation 2 as a computing platform. They've gone as far as creating a cluster of PS2s. While this may sound weird, it actually makes a lot of sense. The PS2 contains a custom CPU that is optimized for vector calculations (which are used quite a bit in graphics programming). Further, a Linux kit is available for the PS2 that allows it to be used as a general purpose computing node. The price-to-performance ratio makes it quite attractive, if the full potential of the chip can be obtained.
Besides, this is the sort of thing appeals to a geek on a deep level. There's something about taking something and doing something useful with it that it was never intended to do that brings a real sense of accomplishment.
Link via Slashdot.
Intuit has finally come to its senses regarding its stupid activation mechanism for TurboTax.
The Mountain View, Calif.-based software maker will discard its so-called product activation feature, the company announced Wednesday when it reported third-quarter earnings.All that the activation feature did was generate ill-will, complaints, and calls to tech support. I know that I don't like to pay for the priviledge of being treated like a thief. In fact, I resolved never to purchase another piece of their desktop software (of any kind) as long as they continued using this activation software (and I only reluctantly used their online tax filing software, after I couldn't get their competitor's product to work).
"Intuit has a long heritage of doing right by customers, and some of our customers didn't have the great experience they expect from Intuit," Steve Bennett, chief executive of the company, said in a statement. "Therefore we've decided to discontinue product activation next season."
The introduction of product activation technology in TurboTax for the 2002 tax year also failed to deliver the additional revenue and profit growth the company had anticipated, Bennett added. Even so, Intuit reported revenue rose by 29 percent and net income more than doubled in the quarter ended April 30, compared with the same period a year ago. The company said growth was driven by gains in its TurboTax business, which brought in $313.1 million in revenue for the quarter.
Product activation is a controversial antipiracy approach that locks a piece of software to a specific PC. Intuit's version, developed by Macrovision, runs in the background on the PC and checks for a unique activation number generated when TurboTax is installed and stored on the PC's hard drive. The technology is intended to prevent customers from printing or filing returns from any PC other than the original machine that was used to activate the software.
Customers complained, however, that the technology could make it difficult to continue using TurboTax if they were to acquire a new PC or hard drive. Many customers said they were annoyed that the product activation mechanism continually ran in the background, even when TurboTax wasn't being used, monopolizing a small chunk of their PC's memory.
And I don't like the product activation crap in Windows XP, either, but their market position kind of forced me into using it (that and I didn't want to have to deal with wiping and reinstalling my new laptop with Linux).
Now, perhaps I'll consider purchasing Quicken again, since my foray into using Money ended badly. I'm trying to find a good solution to keeping track of my accounts. Despite being a techno-geek, I still maintain my bank account via an old-fashioned check register (and such high-tech devices as a pen and a calculator). I ordered the BankOne branded version of Money (it had a 30-day free trial and was $29.99 if I wanted to buy it, as opposed to $59.99 normally; although now I see that Amazon has it for $19.99 after rebates). Unfortunately, Money ate my data file after about a week (it was just gone, nowhere to be found). That really ticked me off, since I'd spent a lot of time entering all of my account information and financial data into it.
The ways of technology are mysterious, but one rule that you can count on is that the chance of technology failure increases in direct proportion to the importance or need for that bit of technology. When I turned my cell phone on at 7:45 this morning it almost immediately buzzed and beeped (causing me to nearly drop it), indicating that I had a voice message. Since I tend to use the cell mostly for outgoing calls, it usually means that something's gone wrong if I get a message on it.
A friend of mine had left me a message at 11:30 last night wondering if there was any way to recover a file. She was working on her last paper (at least until grad school) and her laptop appeared to have lost it. When I called her, it turned out to be worse than that. The file was corrupted and portions of the paper were missing. At that point, the only suggestion I could offer was to try to recover from the .TMP file left behind by Word.
I feel bad for her, because this laptop has been a pain since she got it about two years ago. It's a Sony Vaio that came preloaded with Windows ME. It tends to freeze, it has trouble writing CDs with my Iomega Predator USB burner (the Predator worked fine on my laptop, though), and sometimes it doesn't want to shut down (one time I had to pull the power cable and remove the battery pack to get it to stop). I think the thing's possessed by some kind of malevolent computing demon.
Now that school's over, she's asked me to reinstall it in the hopes that it will be more stable. I'm going to exorcise that demon with a dose of XP and the latest BIOS updates and drivers.
It turns out that the call for tlhIngan (Klingon) interpreters was a joke of sorts. Of course, the computer industry has been ready to deal with this sort of situation for a couple of years. The Internet Assigned Number Authority (IANA) has assigned it the language tag i-klingon for use in locale-sensitive code.
Klingon is interesting in that it is an actual language that can be used for real communication. The writers of Star Trek wanted it to make sense, so they consulted a linguist (Dr Marc Okrand) . After the publication of The Klingon Dictionary: English-Klingon Klingon-English in 1992, some people got together and created The Klingon Language Institute .
As they say, you haven't read Hamlet until you've read it in the original Klingon. :)
A word of caution--the Klingon Language Institute seems to be run off the world's slowest server, so some of those links above may take a while to open.
From what I can see, though, the most important phrase you can know in tlhIngan is "nuqDaq yuch Dapol", which translates as "Where do you keep the chocolate?"
I wonder what the tlhIngan phrase for "Trek geek" is...
Qapla'
There's an old saying that the difference between men and boys is the price of their toys. I would love to have one of these to replace my two-year old Palm Vx, but aside from my living room, I don't go to many places that have 802.11b access.
Thanks to the asswitted pissant who created W32.HLLW.Nebiwo, all of us are required to run a manual virus scan on our machines here at work. I usually endure this hellish scan on Mondays from 12:00 to 4:00. My poor pathetic laptop is grinding itself into a slow death as it scans files (current stats--515500 files scanned, elapsed time 198:45; update: final stats--714350 files scanned, elapsed time 273:33).
I hate virus writers with a passion, because most of them are pathetic little teenaged asswipes who downloaded a virus kit. To the nitwit who released W32.HLLW.Nebiwo, I hope your already tiny nether parts shrivel up and blow away.
Working in the IT business, I can appreciate a lot of these. That first button is especially appropriate.
When I did my taxes recently I tried to use Kiplinger's TaxCut, instead of TurboTax because I was upset with TurboTax for their product activation policy. I checked out the features on the box for TaxCut and it seemed to compare favorably in that it listed the ability to download my stock trade info and my W2. Unfortunately, the reality turned out to be less impressive. It turned out that they didn't support my company's W2 download and they only supported about 8 brokerage firms. It seemed kind of cheesy to me that they couldn't download data from E*Trade.
So out of frustration after trying to import data via files, I gave up and used TurboTax online. The TurboTax software worked quite well and included a very useful cost basis calculator (which came in handy with some stock that I sold off as a single lot that was originally bought in three lots).
As part of the Kiplinger TaxCut setup, it asked me to register. Being suspicious of registration schemes, I always make up a new email address for each company that I do business with online. It only took a week before I started getting spam at the new address that I used, despite the fact that I opted out of ALL emails from them. What's worse, is that they were using an outside agency, so it implies that someone actually had to go to the trouble of pulling the data and sending it to the spamhaus.
They just blew their one and only chance to work with me. I won't be buying TaxCut in the future, regardless of whether they fix their import problems. I'm serious about not wanting any email crap. I get a bunch of email as it is and I don't need unsolicited offers crowding out real email. If I get another spam from them I will redirect the address so that the email is sent to one of their online contact emails (or, if I can find it, to their CEO).
The conference I'm attending is for technical people from my company. A variety of technical sessions are being offered through Wednesday. I attended one today concerning creating highly-available systems. The presenter was a former chief engineer on a nuclear sub who now works for the company. His point throughout the presentation was that your system's reliability depends not only on technology, but also on your people and the processes that they follow.
The most interesting point he brought out was something that was learned from 9/11. We in the industry were quick to set up redundant systems in geographically separated datacenters and to put procedures in place for offsite backups, but we forgot about distributing people. The companies that were located in the World Trade Center had offsite backups and redundant systems in place, but they didn't have people who were ready to step in and fill the positions of those who were killed. All that physical preparation wasn't very useful because there were no people available who knew the systems.
I have to admit that I hadn't given much thought to this topic before, even though I've seen what happens when people become too specialized and aren't cross-trained on each other's jobs. It's one more thing to factor into the next system that I'm involved with.
Better now, though I was going through withdrawal symptoms there for a while, since the *$%^#@$ cable modem went down around 6:00 and just came back up. Argh!
I am being frustrated by cable modem outages. You don't realize how much you use it until it doesn't work. The system has been going down randomly for the past few days, usually in the evenings.
But I experienced a power-related cable modem outage this morning. We had a very short power outage this morning (just one or two seconds). Whenever the power takes a hit, I have to force a DHCP lease renewal before my internet connection will work again. Since my router and cable modem are protected by my UPS, it makes me suspect that Charter doesn't have a backup power supply on their headend.
Everyone else is doing a far better job of war coverage than I ever could, so I guess I'll stick to my usual stuff....
The 802.11g specification is still a draft standard, so there will be some potential problems deploying products based on that standard. So despite my recent problems with a WPC54G card, I still like Linksys products. Which is why I'm a bit concerned about the news today that Cisco is planning to buy Linksys. I understand that Cisco makes good products in the corporate environment, but I've not had much exposure to them. I'm a software guy, so their products are hidden from me at work and I haven't used them at home. My hope is that they will keep the Linksys product line distinct from their other products. This could happen, since the reason given for Cisco's purchase is that they wanted to get into the home wireless LAN business, which is an area where Linksys is very strong.
I guess I'll just have to wait and see what happens.
One of my criteria for evaluating notebooks was the size and quality of the keyboard. I'm a touch typist and the keyboard makes a big difference to me. The keyboard needs to be big enough to accomodate my hands (and should ideally be close to full size). Further, it needs to have a layout that makes sense (it should mimic a full size keyboard wherever possible).
The reason I mention this is that the Toshiba laptops that I saw looked good in all respects except one: I couldn't find the delete key. Maybe they had one, but I couldn't find it. Given my habits with the keyboard, not having a delete key in a sane position would drive me nuts.
I've always been kind of ambivalent about Best Buy. Today, though, they've probably lost me for good. I had decided that I wanted to get a laptop for use around the house, since I'm getting tired of being tied to my desktop (which is in my home office). After doing some online research and visiting a couple of stores, I was ready to buy today. I went in to the Best Buy in Lewisville, and after examining their available systems, I found one that I liked. The problem was that there was no one available to assist me when I was ready to buy (despite there being plenty of people around when I started looking). I think what finally did it for me was the overall noise level in the store. Combined with being ignored, it made for a very annoying experience.
I'm currently writing this entry from a laptop that I purchased at Compusa. The experience there wasn't that great, either, although they did have someone available to take my money. The salesman pushed a bit too hard to get me to buy the extended service plan (to the point of asking me afterward why I didn't buy it and almost trying to argue with me about it, even though I had politely declined), and they tried to gather my personal info at the checkout (which I also politely declined). Finally, the advertised price included two mail-in rebates, but now that I've had a chance to examine the terms (they were both online, so I couldn't see them at the time), I find that both of them want the original UPC code. I've sent in a complaint to Compusa about this, since it seems deceptive to me to advertise both rebates if you can't redeem both of them (and their ad for the laptop definitely shows both rebates, which can be seen here).
Of course, the fact that this laptop doesn't want to work with the Linksys WPC54G card doesn't make me any happier (I've currently got a cable strung across the living room to my wireless bridge). But that's an issue I'll take up with Linksys and the laptop manufacturer. This is a new model of laptop, so there may be some BIOS issues to work out.
Update: CompUSA informed me today that they will accept copies of the UPC when there are multiple rebates.
This will quickly fall off into computer geek land, so those who don't care for such things may wish to scroll down.
I'm working on a web project that has to access some backend (legacy) systems. Of course our corporate security people don't allow direct access to these systems (and rightly so) from systems that are accessed from the internet. They have created a couple of layers of firewalls, so that when you access one of our online applications, your request is proxied and redirected across a firewall into the hosting zone (not the actual names used by our security people). Even though this zone is protected, it is still not trusted. If a system needs access to something in the internal network, it has to go through an intermediary system which has been certified and approved for crossing the firewall.
Our application has been designed to use a Web Services interface to access the data that it requires. We have put in place a set of these services on the internal network that will access the backend systems. We're using SOAP over HTTP for this. Since the security folks won't allow HTTP traffic across the firewall, we have to use another protocol (in this case it's a bit of messaging middleware). To prevent our application from having to know about all this, we created a "bridge" that takes an HTTP request and puts it into a message. There is another application running on the internal network that dequeues the message, contacts the web service, and puts the result back into a message, which gets sent to the front-end of the bridge. If this sounds like a very round-about way of doing things, it is, but we're required to do things like this for security purposes (that and our bridge code is very careful to accept requests only from validated systems/users and to send the requests to validated target URLs; it won't act as a standard HTTP proxy).
Anyway, the bridge code works fine in every instance except one. If the web service throws an exception, the bridge was not passing it on to the caller. After going back and forth through the Java code, it appears that this all comes down to a peculiarity of how Java handles URLs. The URL requires a trailing slash ('/'), which had been left off in the configuration file that specifies the target URL. Normally, this doesn't seem to matter. The SOAP client code doesn't care, and a web browser wouldn't either. If that trailing slash isn't there, a call to HttpURLConnection.getInputStream() will throw a FileNotFoundException (but only when there is a SOAP fault, which causes an HTTP 500 return code).
It's one of those things that drive you crazy. You search and search for a bug in the code only to find that it's in the JDK and it can be fixed by a small change to the URL. One of my team members has been looking at this all week and I finally got involved and spent most of today on it.
With computers, you really do have to sweat the small stuff. Now I need to get away from this computer for a while to let my eyes uncross after reading code, scanning books and manuals, and searching online discussions all day.
I have to admit that there have been times recently when I've been sorely tempted to do this:
George Doughty hung his latest hunting trophy on the wall of his Sportsman's Bar and Restaurant. Then he went to jail.After one too many times listening to my laptop swap memory simply to open a new window (or even the damn Start menu) I might respond in a similar fashion. It's like swimming in molasses.
The problem was the trophy was Doughty's laptop computer.
He shot it four times, as customers watched, after it crashed once too often.
As a public service reminder, though, I should caution against shooting your computer in a public place. Take the computer to a suitable location where it is safe (and legal) to discharge a firearm. Otherwise, like Mr. Doughty, you may be facing some annoying charges.
Link via The Volokh Conspiracy.
The bridge is up and running and the Audiotron is getting its data via the wireless bridge. Next I will remove the wire, which I had strung along the edge of the ceiling using an adhesive wire track. After that I will look into hooking up the Tivo so I can get rid of the phone wire as well.
I think that I'm going to have to acquire a new cordless phone, though. My 2.4GHz Panasonic absolutely stomps my wireless connection when the talk button is pressed. Some research that I've done on Google this morning suggests that the Panasonic phone happens to be the worst offender at this. I'll either get a 5.8GHz phone or go back down to 900MHz (and whatever it is, it won't be a VTech 5.8, which is a dual-frequency phone that uses 2.4GHz for the handset).
I have almost completed my quest for wireless. The router/access point is up and running, my primary Linux system is communicating with the outside world (including incoming SSH), and I'm writing this from my laptop over the wireless network.
All that's left now is to set up the Wireless Ethernet Bridge so I can hook up the Audiotron and get rid of that unsightly wire running down the hall. I think I'll save that for tomorrow, since working with the rat's nest of wires behind the entertainment center is a real pain in the nether regions.
Ok, so I'm a geek. I enjoy playing with technology (and my job these days doesn't let me "get my hands dirty" anymore).
* Brownie points to whomever gets the reference in the title.
Lexar will be introducing flash memory cards with 2GB and 4GB capacities. This means that you could take a tremendous number of photographs with a digital camera before having to download, even at the highest resolutions. My 2 megapixel digital camera can store approximately 400 pictures on a 256MB flash card at the highest quality and resolution. My recent experience with a film camera has definitely brought me back around to the digital camp. There is no developing cost, no waiting for the pictures to come back, and with large memory capacities you can take lots of pictures in the hopes of getting the shot that you want.
I have been considering a couple of upgrades for my home network. First, I'd like to move the firewall and router duties off of a PC and onto a dedicated router (less power, less heat, less noise, and less cost). And secondly I would like to be able to use my laptop without having to plug into the network. The network equipment companies are now starting to deliver 802.11g devices, which have a maximum possible throughput of 54Mbps (as compared to 11Mbps for the older 802.11b standard). One downside, though, is that 802.11g is still a draft standard and is not yet finalized. However, most of the devices that I am considering have upgradeable firmware that will allow them to be upgraded should the standard change by the time it is finalized.
One of the great things about having the Internet as a resource is that companies can make available more information than they could in the past, when they would have to rely on salespeople (who are mostly clueless about this stuff) and glossy brochures (which often weren't worth the paper they're printed on). Getting answers to technical questions could be difficult (even if the company has a technical presales group). In my case, one of the things that I need is the ability to forward SSH requests through the firewall to my Linux system. I'm considering the Linksys WRT54G, which is a wireless access point with a router/firewall (and 4 wired 10/100 Ethernet ports). Linksys actually provides the manuals for almost all of their devices on their site, which made answering my question much simpler. I downloaded the manual and was able to determine that the router does support port forwarding and as a bonus it can also directly update the DynDNS.org database with the latest IP address (which was a pleasant surprise and appears to be a new feature they've added since the last time I looked at their routers).
This kind of information availability is one of the things that has kept me using their products for all of my home networking for the past 5 years. I got started with them because of their LNE100TX PCI cards, which were inexpensive and easy to use, and it's grown from there. So, when I finally decide to pull the trigger on this network upgrade, it'll probably be with the Linksys equipment.
This is the kind of thing that really gets me steamed. Here's the overview:
To: ukcrypto-at-chiark.greenend.org.ukIt's bad enough that we often get dinged for the incompetence of some corporations (like Charter Communications starting to charge me rent for a cable modem I bought two years ago), but I understand that mistakes happen. However, attempting to cover up mistakes really gets me going. In this case, it appears that Citibank is trying to cover up something that is costing people money. It's the kind of thing that (on an emotional level) makes me hope that Citibank gets their ass handed to them in this case.
Subject: Citibank tries to gag crypto bug disclosure
Date: Thu, 20 Feb 2003 09:57:34 +0000
From: Ross Anderson <Ross.Anderson-at-cl.cam.ac.uk>
Citibank is trying to get an order in the High Court today gagging public disclosure of crypto vulnerabilities:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
I have written to the judge opposing the order:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
The background is that my student Mike Bond has discovered some really horrendous vulnerabilities in the cryptographic equipment commonly used to protect the PINs used to identify customers to cash machines:
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
These vulnerabilities mean that bank insiders can almost trivially find out the PINs of any or all customers. The discoveries happened while Mike and I were working as expert witnesses on a `phantom withdrawal' case.
The vulnerabilities are also scientifically interesting:
http://cryptome.org/pacc.htm
For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys. Our courts and regulators should make the banks fix their systems, rather than just lying about security and dumping the costs on the customers.
Curiously enough, Citi was also the bank in the case that set US law on phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an omen, if not a precedent ...
The above link also contains more information about the process of the attack.
Via Slashdot.
PCWorld is reporting that a company called StorCard has created a credit card-sized data storage device that can store from 100MB to over 5GB. It uses a mylar disc inside the card to store the data and includes a magnetic stripe for possible future use in magnetic readers. Additionally, it includes an integrated processor that can perform data encryption. The company claims that the readers will retail for under $100.00 and the cards will be under $15.00.
I could think of some handy uses for an inexpensive storage medium that could hold lots of data in a small form factor. However, I noticed that the company claims that their technology "targets government, healthcare, law enforcement and public safety markets." This sets off alarm bells for the civil libertarian in me. I have some concerns about misuse of this technology by those who would number and control us every second of our lives. I hope this company doesn't think it's going to profit from some kind of national ID card scheme. If so, then I won't care anymore about the handy uses of the technology. I will regard them as my sworn enemy and will work to do everything in my power to destroy them. That may sound harsh, but don't understimate the power of a sufficiently vocal group of unhappy people. If you think we can't make a difference, just ask Richard Sharp (former CEO of Circuit City) about DIVX (and the $100 million he threw down the toilet on it).
Via Slashdot.
Via this article at News.com (.com.com.com....) I have learned that those damn pop-up and pop-under ads are going to suck even more, thanks to something called "kick-through".
Pop-ups add new twist
By Stefanie Olsen
Staff Writer, CNET News.com
December 20, 2002, 1:09 PM PT
Pop-up advertisements, already the bane of millions of Web surfers, are becoming more intrusive.
Pop-up and pop-under ads open a new window when people visit many popular Web sites, often littering the computer desktop with multiple browser screens. Advertisers hope people will visit the promoted Web page by clicking anywhere on the window, although many simply close it by selecting the "X" box in the top-right corner.
But a relatively new feature may make it harder for people to avoid these windows. Using a technique called the "kick through," advertisers can direct a person to another Web site if they simply move their cursor across the pop-up ad--no clicking is necessary.
Discount travel retailer Orbitz, for example, is delivering millions of holiday-themed kick-through ads on The New York Times, ESPN.com and CondeNast sites in addition to others. The ads feature various animated games, and recipients who simply "mouse" over them are shuttled to Orbitz's home page.
Many people who have encountered the ads say they overstep the boundaries of an already intrusive and loathed form of Web advertising.
"When I tried to close the window it kicked me to the site, which is really annoying when I have six windows open and three of which were not by my own doing," said Diane Schreiber, a high-tech executive who lives in Brisbane, Calif.
But here's where we enter the fantasy world of the online marketer:
Chicago-based Orbitz, which appears to be the only advertiser using the kick through, defended the strategy. The company regularly uses pop-unders to invite people to search for discount travel fares. Because online travel has such widespread appeal, ads that "roll over" directly to the site hold value for many people (emphasis added), according to the company's interactive ad agency, Otherwise.
"The enormous success for Orbitz is directly related to these pop-unders," said Mark Rattin, creative director for Chicago-based Otherwise. "There's an enormous segment of the population that are appreciating these ads." (emphasis added) He said that similar commercials have appeared online over the last eight months.
Oh well, it's not like I could withold any further business from them. I already make a point of avoiding any company that uses pop-ups or pop-unders. Short of random carpet bombing, there's not much left that I can do to Orbitz.
I once found a huge spider in one of my case fans when I was cleaning it, but this takes the cake.
Link via this article at Samizdata.net.
I received an email this afternoon that someone was having problems accessing this site. Specifically, the browser was spewing out a bunch of XML followed by an error message ("The XML page cannot be displayed. Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later. "). I started poking around and found a few problems with my coding (I forgot to put some of my image attributes in quotes and I forgot to close some <img> tags with a space and a slash -- e.x. <img src="..." width="x" height="y" />).
The person having the problem was running IE 5.5 (with no fixes), so it appears to me that it was incorrectly interpreting the page as XML rather than (X)HTML. I was able to duplicate the error by copying index.html to testindex.xml. But after fixing the above problems I realized that there are a couple of cases where I use characters that require escaping in XML but that are valid in HTML (the '&' symbol in a CGI call, for example, requires escaping). Unfortunately, fixing that would break the site for most browsers (Update -- apparently not true according to the XHTML docs I've been reading).
My suspicion is that this is a bug in the original IE 5.5 and that it is not interpreting the first line of the file correctly. Incidentally, the first line of the file was "<?xml version='1.0 encoding='UTF-8'?>", which was added to fix the infamous F11 bug with IE 6.0. I've temporarily removed this line to see if the person having the problem can load the page.
I should note that I've verified that the page loads correctly in IE 6 with the latest fixes applied (at least on my XP system) (and without the F11 fix), in IE 5.5 with SP1 (on Win2K), and Mozilla 1.1 (Linux). The site looks like crap with NS 4.7x (but is anyone still using it?).
Update: I put the xml line back and added some other magical incantations to the source to see if I can accomodate both browsers.
Update 2: No joy. I took out the xml line for now. It's kind of disappointing, because the XHTML standard strongly recommends it (although it doesn't require it). In any event, I ran this site through an XHTML validator and discovered several problems, especially with blockquotes. I will continue fighting with XHTML later.
It was with a bit of nostalgia and sadness that I greeted this article about the final demise of OS/2. I worked with it from 1993 until sometime in 2000. My first job was doing NetWare technical support and I was the OS/2 client guru for the team (we also had a version of NetWare that would run with OS/2, but it never caught on). My next job involved doing OS/2 Presentation Manager programming, and that's what allowed me to get into the position that allowed me to grow into my current position. We moved all of our client code to Win32 in 2000, and I finally migrated off OS/2 on my work desktop shortly after that.
I was never a fanatic about it (I didn't go around preaching the gospel of OS/2, like some people do with Macs or Linux today), but I thought that OS/2 had a lot of potential and I liked working with it. The WPS was a true technical innovation, and the underlying kernel was pretty solid. A well configured OS/2 LAN server could match or outperform both NetWare and MS servers. I was disappointed at how it was handled and I was ultimately chased away from it because of technical problems (as OS/2 got less and less attention from IBM and vendors, it became increasingly difficult to interact with web sites and to find programs to read documents).
Oh well, all things must eventually come to an end.
Wondering where all that crap in your inbox is coming from? It's coming from people like this.
Here's the full details on her "business".
She claims that all of her lists are "opt-in". Given my experience with spammers, that's usually a blatant lie. It's people like her who force the rest of us to take extreme measures to protect our email addresses and to eye everyone who asks for an email address with suspicion.
I create a new email address for each place that I do business with, which includes the business name and sometimes the promotion. I examine privacy policies when I sign up for an account to see how they will use my email. I make sure that all "opt-out" checkboxes are checked. I don't post my email address to newsgroups. I mangle my email address for this web page (even before anyone knew this page existed I was getting crawled by spambots).
What I've found is that the majority of reputable companies are honoring my requests. However, there are a few out there who conveniently decide to "forget" my settings and start sending me crap. Maybe they're thinking I'll have forgotten about telling them not to send me stuff. Anyway, I always tell them to stop. If they don't stop after a resonable amount of time I'll stop doing business with them and then redirect all email to that address to someone in their customer service organization (or to their sales address). When their own spam gets back to them, it seems to get their attention (or at least it worked with marketing -at- carparts.com -- I'm not mean enough to post their unobfuscated address here :) ).
This is why you should be careful about what data you put out on your web site. Just because there isn't a link to it doesn't mean that someone can't find it.
... Scan your company's Web servers. Find the files that aren't linked to your public Web site. Then track down their owners and remind them that whatever they put on a Web server is accessible to anyone on the Internet.Point out that if someone on the Internet can guess the URL of a piece of business information, even if it's not linked, it's not safe. And that's true whether the information is financial data, marketing plans or personnel records, and whether the guesser is a reporter, an employee, an investor or a competitor.
And if they think it can't happen to them, tell them about Intentia. And remind them that your CEO probably isn't desperate enough to call the cops if proprietary information leaks out by way of unnecessary, unlinked files on your company's Web servers.
But he'll probably know who's guilty.
Here's an interesting article on a security vulnerability (privilege escalation exploit) in Microsoft Windows (all versions that use the Win32 API).
The ability to send messages between windows in different processes is something I was familiar with, but I hadn't given much thought to the security exploit implications of it (although I was well aware of memory protection issues, etc, given I'd played around some code like this when I was learning the Win32 API). I had been viewing it as a feature that allowed a program to communicate with other windows. In fact, some fairly handy tools probably use this feature (like WinRunner).
I found this section interesting, though:
This research was sparked by comments made by Microsoft VP Jim Allchin who stated, under oath, that there were flaws in Windows so great that they would threaten national security if the Windows source code were to be disclosed. He mentioned Message Queueing, and immediately regretted it. However, given the quantity of research currently taking place around the world after Mr Allchin's comments, it is about time the white hat community saw what is actually possible.
At the time Allchin made those comments, I thought that they were a desperate ploy to avoid opening up the Windows source code. I also thought that it was pretty arrogant to assume that Windows is that important. But then I thought about the fact that NT (3.5 and 4.0) is C2 certified, so I just let it pass.
The exploit requires the ability for a user to run arbitrary code. But that's not as difficult as one might think, and it's a privilege escalation exploit, so it could allow a guest user to gain system access.
Some more discussion on the topic from slashdot: Shattering Windows
This article at Fox News details the nefarious plan by Senator Fritz Hollings (D-S.C.) (who is bought and paid for by the recording industry) to require "digital rights management" in all digital devices.
Consider the following excerpt from the bill: "It is unlawful to manufacture, import, offer to the public, provide or otherwise traffic in any interactive digital device that does not include and utilize certified security technologies."
To paraphrase Charleton Heston's character in Planet of the Apes:
"Keep your grubby laws off my computer, you damn dirty senator."
More background:
Slashdot article--"Senator from Disney" :)
Downloading can't be stopped--Why the music (and film) industry will lose this battle.